Skip to content

Walk me through how you enumerate a brand-new target box.

Short answer

Start with a full TCP port scan, then enumerate every open service in depth — banners, versions, default creds, anonymous access, and web content — before touching any exploit. Most boxes fall to thorough enumeration, not clever exploits, which is the core of the 'try harder' mindset.

Enumeration is the single most important phase on the OSCP exam and in real engagements. The certification's "try harder" motto is not about brute force — it is about being systematic and refusing to skip steps. Most failed boxes come from incomplete enumeration, not from a missing exploit.

The mindset

Treat enumeration as a loop, not a checkbox. Every piece of information you gather opens new questions: a version number leads to a CVE search, a username leads to a password spray, a web directory leads to a config file. You keep enumerating until the path forward is obvious.

A repeatable order

  1. Port discovery. Full TCP scan of all 65535 ports so nothing on a high port is missed, then a targeted version/script scan on what is open.
  2. Service enumeration. For each open port, identify the exact service and version, check for default or anonymous access, and pull banners.
  3. Deep dives. Web servers get directory brute forcing and source review; SMB gets share and user enumeration; databases get default-cred checks.
  4. Correlate. Cross-reference findings — a username from SNMP might be the SSH login; a version from a banner might have a public exploit.

Avoiding rabbit holes

Time-box each path. If a lead has not produced progress, note it and move to the next open service. Keep a running list of every finding so you can return to it. Breadth first, then depth on the most promising lead.

What interviewers look for

They want to hear that you scan completely, enumerate every service before exploiting, and let evidence drive your next move. Candidates who jump straight to exploits or rely on automated frameworks signal they will get stuck the moment a box has no canned exploit.

Likely follow-ups

  • What do you do when your enumeration turns up nothing exploitable?
  • How do you avoid rabbit holes during enumeration?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.